yaml deserialization, s3 buckets enum
This commit is contained in:
parent
c9f70905cf
commit
615effb8a0
|
|
@ -0,0 +1,84 @@
|
|||
# AWS S3 Enumeration
|
||||
|
||||
## Usage
|
||||
|
||||
* [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions)
|
||||
* `--region`
|
||||
### Simple Storage Service (S3)
|
||||
* [S3](https://aws.amazon.com/s3/)
|
||||
* Methods of access control are as follows
|
||||
* [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
|
||||
* [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
|
||||
|
||||
* Scheme is
|
||||
```sh
|
||||
http://<bucketname>.s3.amazonaws.com/file.name
|
||||
```
|
||||
or
|
||||
```sh
|
||||
http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
|
||||
```
|
||||
|
||||
* __List content of public bucket via__
|
||||
```sh
|
||||
aws s3 ls s3://<bucketname>/ --no-sign-request
|
||||
```
|
||||
* Download via `curl`, `wget` or `s3` cli via
|
||||
```sh
|
||||
aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
|
||||
```
|
||||
|
||||
#### ACL
|
||||
* `Anyone`, just `curl`
|
||||
* `AuthenticatedUsers`, `s3` cli with aws key
|
||||
|
||||
## IAM
|
||||
* Not necessarily used by s3
|
||||
* Access key ID, starts with `AKIA` + 20 chars
|
||||
* Secret access key
|
||||
* Session token, `ASIA` + sessionToken
|
||||
|
||||
* Add credentials to profile via
|
||||
```sh
|
||||
aws configure --profile PROFILENAME
|
||||
```
|
||||
* Config and credentials is stored at `~/.aws`
|
||||
* Sanity test profile via
|
||||
```sh
|
||||
aws s3 ls --profile PROFILENAME
|
||||
```
|
||||
* Find account ID to an access key
|
||||
```sh
|
||||
aws sts get-access-key-info --access-key-id AKIAEXAMPLE
|
||||
```
|
||||
* Find username to an access key
|
||||
```sh
|
||||
aws sts get-caller-identity --profile PROFILENAME
|
||||
```
|
||||
* Listing EC2 instances of an account
|
||||
```sh
|
||||
aws ec2 describe-instances --output text --profile PROFILENAME
|
||||
```
|
||||
* aws ec2 describe-instances --output text --profile PROFILENAME
|
||||
```sh
|
||||
aws ec2 describe-instances --output text --profile PROFILENAME
|
||||
```
|
||||
* In another region
|
||||
```sh
|
||||
aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
|
||||
```
|
||||
|
||||
### AWS ARN
|
||||
* Unique ID is create via the following scheme
|
||||
```sh
|
||||
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
|
||||
```
|
||||
|
||||
### Secrets
|
||||
|
||||
```sh
|
||||
aws secretsmanager help
|
||||
aws secretsmanager list-secrets
|
||||
ws secretsmanager get-secret-value --secret-id <Name> --region <region>
|
||||
```
|
||||
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
# YAML Deserialization
|
||||
|
||||
* [CVE-2019-20477](https://packetstormsecurity.com/files/cve/CVE-2019-20477)
|
||||
* RCE via Yaml execution by Python
|
||||
|
||||
* [jolt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/)
|
||||
|
||||
## Usage
|
||||
|
||||
* Example Payload insid foo.yaml gets executed via Python
|
||||
```sh
|
||||
!!python/object/apply:os.system ["id"]
|
||||
```
|
||||
Loading…
Reference in New Issue